Known Issues and Limitations

Known Issues

Work Order #

Description

SUG97025

When using a portal certificate, Safari on Mac will attempt to connect to the
certificate revocation list (CRL) URL before displaying the portal. Because
authentication is not complete, the URL is blocked by the appliance, and the portal
is not displayed. To resolve this:

On the Config > System > Authentication page, in the Profiles tab, create an
authentication profile that references the Mac OS X authentication profile.
Ensure that this authentication profile applies to all connections, that it is
applied only to the CRL URL, and that it bypasses authentication.

For more information, see the Configuring Connection and
Authentication Profiles example in the help.

DEF90478

Manually downloading a backup using Internet Explorer (IE) may fail. This can
be caused by certain combinations of settings. The description of the issue and its
resolution for IE v9 can be found in this Microsoft support article ,
while the description and resolution for earlier versions of IE can be found in this
Microsoft support
article.

DEF88976

When testing sites on the Network > Diagnostic Tools page, you must enter the address without the protocol. For instance,
enter www.example.com and not
http://www.example.com.

WKI67266

Endpoint to Sophos Web Appliance (SWA) communication does not work with non-SWA
proxies that use ActiveDirectory authentication.

WKI75267

If an endpoint registers with a Sophos Web Appliance (SWA) or Sophos Management
Appliance (SMA), then registers with a second, different SWA or SMA, it will then be
unable to re-register with the first SWA or SMA.

DEF72642

In load-balancing mode, some unique users may be double-counted on the
Management Appliance dashboard when one of the load-balanced appliances becomes
temporarily unavailable.

DEF51492

If you want to your users to be able to communicate using the stand-alone
version of Google Talk, you must add both talk.google.com and
www.google.com to the HTTPS scanning exemption list.

Note that
adding www.google.com to the HTTPS scanning exemption list can
potentially prevent search terms from being logged, if
https://www.google.com is used to perform a search.
Alternatively, instead of adding talk.google.com and
www.google.com to the HTTPS scanning exemption list, you can
instruct your users to launch a web-based version of the application from within
Gmail.

DEF51244

When a proxy with an incompatible forwarding method attempts to join a Web
Cache Communication Protocol (WCCP) service group, the Cisco router correctly
detects that an unusable proxy has joined, but it does not update the router's
record. To correct this, you must disable WCCP on the router, and then re-enable it,
clearing the list of known routers.

SUG40083

By default, the Adobe Flash player uses port 1935 to receive streamed content.
The Sophos
Web Appliance does not block this traffic
(unless you have configured your policy to block Adobe Flash video), but it is
common for firewalls to block traffic through this port. If you find that you are
unable to view Flash videos in your network, and you have not explicitly blocked
access to Adobe Flash video in your policy, open port 1935 access on your firewall.
Other solutions are available, but are beyond the scope of the Sophos
Web Appliance documentation; however, you can examine the
options discussed in this Adobe article: http://www.adobe.com/devnet/flashcom/articles/firewalls_proxy02.html.

SUG34557

If you change a Web Appliance from explicit to
either bridged or transparent mode, it causes interoperability issues with the
spanning-tree calculations of Cisco switches. This can be overcome by running
spanning-tree bpduguard disable for the appropriate port on the
Cisco switch.

SUG32420

Currently, you can add a Local Site List entry with an
unused tag which can take precedence over a Local Site List
entry with a used tag, potentially disabling the used tag. To prevent this, always
ensure that all added tags have actions configured in the Configuration > Group Policy > Additional Policies wizard.

SUG31712

By default, the instant messaging application, ICQ, connects to
login.icq.com through port 5190, which will not work with the
Web Appliance. To be able to connect, ICQ must be
reconfigured to use port 80 for this connection.

SUG31038

If a Web Appliance is joined to a Security Management Appliance by entering the Security Management Appliance's fully qualified domain name into the
Hostname text box in the Configuration > System > Central Management page, but an administrator subsequently accesses the Security Management Appliance's administrative web interface
by using the Security Management Appliance's IP address while
proxying through the Web Appliance, the usual policy
bypassing applied to that access is ignored as the IP address will not be recognized
as being the Security Management Appliance.

SUG26603

The Web Appliance's PDF generation library does not
support all character sets, so Active Directory user names that use unsupported
character sets do not render correctly.

SUG24359, SUG48524

HTTP range requests, or partial-content requests, are used by download
accelerators and for large PDF files to download partial "ranges" of a file. These
are only allowed by the Web Appliance for trusted sites.
This is by design. Partial files cannot be scanned for viruses or other malware, so
allowing HTTP range requests only makes sense for completely trusted sites.

DEF23793, SUG31838

If you are proxying through the Web Appliance to
access the Web Appliance's Administrator web interface,
saving settings in the Configuration > Network > Network Interface page may cause an erroneous "Problem Saving Settings" message to be
displayed in the status bar at the bottom of the page. To avoid this and other
subsequent problems, it is strongly advised that you access the administrative web interface through a direct, non-proxied,
connection.

Your users will not be able to access AOL Instant Messenger (AIM) if you have
HTTPS scanning or certificate validation enabled. The workaround for this problem is
to either set the site as globally allowed or add the AOL Instant Messaging
server(s) to your Configuration > Group Policy > Local Site List and set the Risk Level to
Trusted. Also, you must either turn Certificate Validation
Off, or add that server's certificate authority by entering
the AOL Instant Messenger server's Site address and clicking
Get Certificate in the Add certificate from a
web site section of the Configuration > Global Policy > Certificate Validation page. As the URL and IP address(es) of the AOL Instant Messaging
server(s) may differ depending on your geographical region, and may change over
time, you must discover this information by disabling HTTPS Scanning and Certificate
Validation, and then having one of your users access this service (use AOL Instant
Messaging). You can then check the Search > Recent Activity Search > By User for that user to find the AOL Instant Messaging server's URL(s) and
IP address(es).

SUG23486

When a RealPlayer client is operating behind a strict firewall, you must
configure RealPlayer to use the "HTTP Only" option to connect to the Internet, even
though this option tends to deliver a more intermittent playback than other options.
Alternatively, you can open port 554 on your firewall.

SUG21539

In Internet Explorer, some websites or pop-ups may not display properly and the
user may receive "Web page cannot be displayed" or "Object expected" error messages.
This is a known Internet Explorer issue, and is due to an Internet Explorer update
not getting installed. To remedy this issue, please ensure that you have installed
cumulative security update MS08-024. For more information, see Microsoft KB947864.

DEF19675

Users that are not connected to the same Active Directory domain to which the
Web Appliance is connected will experience problems
using applications (such as Microsoft Office Activation) that do not prompt for
credentials. These applications will fail to connect to the internet through the
proxy because they do not automatically provide the correct domain user credentials
for the domain used by the Web Appliance, nor do they
prompt (like a browser would) for the user to enter their correct name and password.
Either have these clients connect to the proper Active Directory domain or add the
IP address of the problem system to the Allow unauthenticated browsing
for the following IP addresses list in the Configuration > System > Active Directory page.

DEF11744

Users may be prompted to login when trying to open stream media with Windows
Media Player 9. This issue is related to two Microsoft knowledge base issues:

If you have an internal Windows update server, add its hostname as a trusted
site to the appliance local classifications to ensure that there are no
interruptions in your local Windows update service. Automatic Windows Updates via
Microsoft's sites are unaffected.

No Number

While the appliance is under heavy load, the Blocked
Sites and various Users reports may take up to
a minute to generate.

DEF48710, DEF10961, DEF48620

Various sites generate occasional credential pop-ups when using Firefox with
NTLM authentication turned on, and configured to Authenticate all
requests.

DEF48810 (SUG08290)

The Web Appliance web interface can slow down or
freeze when enabling Remote Assistance. Once the request succeeds or times
out it will return to normal. Proxy usage is not affected.

No Number

To block access to internal sites (ones that your internal DNS will resolve to
an internal domain), you will need to create multiple entries in the local
classifications for each applicable FQDN. If you do not do this, users will be able
to bypass filtering by entering the unqualified internal hostname. For example, for
a server on your network called testbox that is available on two domains, you
would need to add testbox.domain1.com, testbox.domain2.com and
testbox to the Local Classifications.

DEF48700, DEF48702, DEF74075

Various software, including Quicktime and Yahoo Messenger, may require HTTP 1.1
through proxy connections. To enable this for Internet Explorer:

Choose Tools > Internet Options.

Click Advanced and select Use HTTP 1.1
through proxy connections.

Click OK.

DEF48392, DEF48522

Reports do not show graphs for the first hour after midnight. Graphical reports
will not show values between 12AM and 1AM.

DEF80779

When an appliance configured in transparent mode and with HTTPS scanning
enabled reboots, users who have their default page set to an HTTPS site will not be
properly authenticated to Active Directory. To avoid this, users can configure their
default homepage as an HTTP site rather than an HTTPS site.

Limitations

Work Order #

Description

No Number

When the Sophos
Web Appliance uses eDirectory to
identify users, the following issues may occur:

Terminal Server assigns the same address to multiple users. The Web Appliance resolves identification conflicts by
selecting the user with the most recent login time. Only the user logged in last
is identified correctly.

Users may log in on multiple workstations using the same account. For the
first login, the Web Appliance caches and uses the
correct username for Group Policy. For subsequent logins, the Web Appliance uses the workstation's IP address for Group
Policy. It is recommended that you avoid logging in from different
workstations.

DEF60685

A limitation in Internet Explorer prevents usernames of the forms
DOMAIN\username, domain.tld\username or username@domain.tld
from working with FTP sites that require authentication. Instead, only the simple
username should be used for FTP sites. If it is necessary to use one of the three
listed forms, you should use the Firefox browser instead. For more information, see
the associated Microsoft knowledgebase
article.

SUG31737

Access to Yahoo! Messenger is disabled when certificate validation is turned
on. To enable access to Yahoo! Messenger, Certificate
Validation must be turned Off in the Configuration > Global Policy > Certificate Validation page. Alternatively, Certificate Validation
can be turned On, but you must add the certificate used by
Yahoo! Messenger in the Configuration > Global Policy > Certificate Validation page. Yahoo! Messenger uses multiple servers, but each of these use
the same certificate, so you can get this certificate from any of the following
servers: 216.155.194.149, 98.136.113.168, or 98.136.113.173.

DEF27953

When the DNS servers in the Configuration > Network > Network Interface page are specified manually, only the first DNS server is used to
lookup the Active Directory domain when you run Verify
Settings in the Configuration > System > Active Directory page. The first DNS server configured in the Configuration > Network > Network Interface page must be able to resolve the Active Directory domain.

DEF21244

Occasionally, web pages from an allowed site will contain images or other
resources that are linked in from blocked sites. These content resources will be
blocked, which may leave the resulting page looking broken. This is the expected
behavior and can only be changed by either allowing the content from the blocked
site or blocking the allowed site that contains the blocked resources.

SUG17217

The patience page that is displayed when using FTP-over-HTTP in Internet
Explorer is always in English as Internet Explorer does not include the
“Accept-Language” attribute-value pair in the HTTP request. (For an explanation, see
the FTP-over-HTTP glossary entry.)

DEF15645

If an ISA Server is used as upstream proxy of a Web Appliance, you will be unable to:

Service Principal Name (SPN) formatted usernames (for example,
user@domain) are not supported when applying policy to a user.
Usernames must be in the Down-Level Logon Name format (for example,
DOMAIN\username).

DEF14181

If the Web Appliance attempts to display
notification pages in more than two tabs of Internet Explorer, only the first two
notification pages will display. This is a deliberate Internet Explorer
limitation—only two connections are allowed per server—, documented in
http://support.microsoft.com/kb/282402, which therefore cannot be
addressed by the Web Appliance.

SUG12261

In order to use certain Autodesk applications, such as Land Desktop, AutoCAD
Map, Raster Design, Survey, Viz, Architectural Desktop, Revit, and Civil 3d,
autodesk.com must be added to the Local Classifications as a trusted
site.

SUG11277

If the administrator's Username entered in the Configuration > System > Active Directory page contains UTF8 characters, the username will not be saved
properly and it will cause "Invalid Credentials" errors on subsequent logins. To
prevent such errors ensure that the administrator username you select does not
contain any UTF8 characters.